What is claimed is: 



1 1 . A method for an intermediary selectively coupling an external network and 

2 an internal network to dynamically generate filter rules to facilitate establishing an end to 

3 end secure session connection between a first device on the internal network and a 

4 second device of the external network, the method comprising: 

5 receiving a secure session establishment request by the second device on the 

6 external network to establish a secure communication session with the first device on 

7 the internal network; 

8 forwarding the secure session establishment request to the first device; 

9 monitoring the internal network for an approval or disapproval acknowledgement 

10 by the first device for the secure session establishment request; and 

11 if an approval authentication acknowledgement is monitored, then configuring a 

1 2 first filter rule of the intermediary to allow communication between the first and second 

1 3 devices through the intermediary. 

14 2. The method of claim 1 , further comprising: 

1 5 determining a presence advertisement for the first device has been received 

1 6 before forwarding the secure session establishment request to the first device. 

1 7 3. The method of claim 2 wherein the presence advertisement is delivered in 

18 accordance with the UPnP Simple Service Discovery Protocol (SSDP). 

19 4. The method of claim 1 , further comprising: 
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1 receiving network traffic from the second device corresponding to the second 

2 device requesting a UPnP Device Description Document from the first device. 

3 5. The method of claim 1 , further comprising: 

4 receiving a service request from the second device for the first device, the 

5 service request having an associated communication port for performing the service; 

6 determining the service request identifies a service advertised by the first device 

7 in a device description document; and 

8 configuring a second filter rule to allow communication between the first device 

9 and the second device using the associated communication port. 

1 0 6. The method of claim 1 , further comprising: 

1 1 providing the second device with an indicia for use by the second device in 

1 2 establishing a communication link to the first device. 

1 3 7. The method of claim 6, wherein the indicia is a selected one of a globally 

14 routable Internet Protocol (IP) address, or an internal network address non-routable on 

1 5 the external network. 

1 6 8. The method of claim 1 , wherein communication within the internal network 

17 is in accord with an IPv6 compatible Internet Protocol (IP). 

18 9. The method of claim 1 , further comprising: 

1 9 retrieving an Access Control List (ACL) from the first device, the ACL including 

20 an identification of devices authorized to establish communication sessions; and 
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1 determining based at least in part on the ACL the second device is authorized to 

2 establish the secure communication session with the first device before forwarding the 

3 secure session establishment request to the first device. 

4 10. The method of claim 1 , further comprising: 

5 receiving network traffic from the second device corresponding to a previous 

6 secure communication session established when the second device was previously on 

7 the internal network; and 

8 responding to said network traffic with an error such that the second device 

9 attempts to re-establish a secure communication session from the external network. 

10 11. The method of claim 1 , further comprising: 

1 1 establishing the end to end secure session connection between the first device 

12 on the internal network and the second device of the external network in a single end to 

13 end secure session connection between said first and second devices. 

14 1 2. A method for communicating with a device by way of an intermediary 

15 selectively coupling an external network and an internal network, comprising: 

1 6 receiving a presence advertisement for the device; 

1 7 storing a network address associated with the first device; 

1 8 determining services offered by the device; and 

19 while on the external network, issuing a secure communication initiation request 

20 to the device via the intermediary. 

21 13. The method of claim 12, wherein the intermediary is configured to: 
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1 forward the request to the device; 

2 monitor for an approval or disapproval authentication acknowledgement to the 

3 request; and 

4 configure a filter of the intermediary to allow communication with the device if an 

5 approval authentication acknowledgement is received. 

6 14. The method of claim 13, wherein the intermediary is further configured to 

7 configure the filter to block communication with the device is a disapproval 

8 authentication acknowledgement is received. 

9 1 5. The method of claim 12 wherein the presence advertisement is received 

10 while on the internal network. 

11 16. The method of claim 12, wherein while on the internal network, the 

12 method further comprising requesting a description of services offered by the device. 

13 17. The method of claim 1 6, wherein the description of services is requested 

14 from the intermediary. 

15 18. The method of claim 12, wherein while on the external network, the 

16 method further comprising requesting a description of services offered by the device. 

17 19. The method of claim 18, wherein the description of services is requested 

1 8 from the intermediary. 

19 20. The method of claim 12, further comprising: 

20 receiving an approval authentication acknowledgement to the request; and 
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1 responsive to the approval, requesting a service of the device. 

2 21 . The method of claim 12, wherein the network address associated with the 

3 first device is a globally unique network address having an address portion identifying 

4 the intermediary. 

5 22. The method of claim 12, wherein a traveling control point performs the 

6 method for communicating with the device. 

7 23. A system of devices communicatively coupled with an internal network 

8 and an external network via a gateway, comprising: 

9 a first device, communicatively coupled to the internal network, offering services; 
10 a second device selectively coupled with the internal and external networks, the 



1 1 second device seeking a service of the first device, wherein when requesting the 

12 service, said requesting includes sending a secure communication initiation request to 

13 the first device to facilitate establishing a secure communication session with the first 

14 device; and 



1 5 an intermediary selectively communicatively coupling the first and second 

16 devices, wherein the intermediary is configured to receive a secure communication 

17 initiation request from the second device over the external network and forward the 

1 8 request to the first device. 

1 9 24. The system of claim 23, wherein the intermediary is further configured to 

20 monitor the first device for an approval or disapproval authentication acknowledgement 

21 for the request, and to configure a filter of the intermediary controlling communication 
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1 over the first network from the first device based at least in part on a monitored 

2 authentication acknowledgement. 

3 25. The system of claim 23, wherein the first device communicates with the 

4 second device in accord with the UPnP Security Protocol. 

5 26. The system of claim 23, wherein the secure communication initiation 

6 request corresponds to a UPnP Set Session Key (SSK) request. 

7 27. An article comprising a machine-accessible media having associated data 



8 for an intermediary selectively coupling an external network and an internal network to 

9 dynamically generate filter rules to facilitate establishing an end to end secure session 

10 connection between a first device on the internal network and a second device of the 

1 1 external network, wherein the data, when accessed, results in the intermediary 

12 performing: 



13 receiving a secure session establishment request by a second device on the 

14 external network to establish a secure communication session with a first device on the 

15 internal network; 

1 6 forwarding the secure session establishment request to the first device; 

17 monitoring the internal network for an approval or disapproval acknowledgement 

1 8 by the first device for the secure session establishment request; and 

19 if an approval authentication acknowledgement is monitored, then configuring a 

20 first filter rule of the intermediary to allow communication between the first and second 

21 devices through the intermediary. 
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1 28. The article of claim 27, wherein the data further includes data, which 

2 when accessed, results in the intermediary performing: 

3 determining a presence advertisement for the first device has been received 

4 before forwarding the secure session establishment request to the first device. 

5 29. The article of claim 27, wherein the data further includes data, which 

6 when accessed, results in the intermediary performing: 

7 receiving a service request from the second device for the first device, the 

8 service request having an associated communication port for performing the service; 

9 determining the service request identifies a service advertised by the first device 

10 in a device description document; and 

1 1 configuring a second filter rule to allow communication between the first device 

12 and the second device using the associated communication port. 

1 3 30. The article of claim 27, wherein the data further includes data, which 

14 when accessed, results in the intermediary performing: 

1 5 providing the second device with an indicia for use by the second device in 

1 6 establishing a communication link to the first device. 

17 31 . The article of claim 27, wherein the data further includes data, which 

18 when accessed, results in the intermediary performing: 

19 retrieving an Access Control List (ACL) from the first device, the ACL including 

20 an identification of devices authorized to establish communication sessions; and 
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1 determining based at least in part on the ACL the second device is authorized to 

2 establish the secure communication session with the first device before forwarding the 

3 secure session establishment request to the first device. 

4 32. An article comprising a machine-accessible media having associated data 

5 for communicating with a device by way of an intermediary selectively coupling an 

6 external network and an internal network, wherein the data, when accessed, results in a 

7 machine performing: 

8 receiving a presence advertisement for the device; 

9 storing a network address associated with the first device; 

1 0 determining services offered by the device; and 

1 1 while on the external network, issuing a secure communication initiation request 

1 2 to the device via the intermediary. 

1 3 33. The article of claim 32, wherein the data further includes data, which when 

14 accessed by the machine, results in the machine performing: 

1 5 receiving the presence advertisement while on the internal network. 

1 6 34. The article of claim 32, wherein the data further includes data, which when 

17 accessed by the machine, results in the machine performing, while on the internal 

18 network, requesting a description of services offered by the device. 

1 9 35. The article of claim 32, wherein the data further includes data, which when 

20 accessed by the machine, results in the machine performing, while on the external 

21 network, requesting a description of services offered by the device. 
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1 36. Machine-accessible information for an intermediary selectively coupling an 

2 external network and an internal network embodied in a propagated signal which, when 

3 accessed, results in the intermediary performing: 

4 receiving a secure session establishment request by a second device on the 

5 external network to establish a secure communication session with a first device on the 

6 internal network; 

7 forwarding the secure session establishment request to the first device; 

8 monitoring the internal network for an approval or disapproval acknowledgement 

9 by the first device for the secure session establishment request; and 

10 if an approval authentication acknowledgement is monitored, then configuring a 

1 1 first filter rule of the intermediary to allow communication between the first and second 

1 2 devices through the intermediary. 

13 37. The propagated signal of claim 36, wherein the machine-accessible 

14 information further includes information, which when accessed, results in the 

1 5 intermediary performing: 

16 receiving a service request from the second device for the first device, the 

17 service request having an associated communication port for performing the service; 

18 determining the service request identifies a service advertised by the first device 

19 in a device description document; and 

20 configuring a second filter rule to allow communication between the first device 

21 and the second device using the associated communication port. 
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